A Managed Security Service Provider (or “MSSP”) can be a powerful addition to your organization when properly integrated. Utilizing the variety of skills and roles an MSSP can offer your organization the ability to scale its capabilities and staffing more quickly than trying to do so in-house.
However, fostering a successful relationship with your MSSP isn’t a complete “hands-off” exercise. In order for you to get the most out of your MSSP, it’s important to consider a number of key factors. Let’s discuss how to “manage the managers” to ensure a mutually beneficial working environment:
Mutual Understanding
The first and most important step when working with an MSSP is to ensure their support services align with your security goals. MSSPs can offer a second set of eyes to ensure your organization is on track to meet your cyber objectives, whether that’s SIEM monitoring, operating a SOC, running a vulnerability management program, or achieving compliance with a specific framework.
MSSPs can also provide detailed plans to help you meet your goals when you’re not sure where to start. One of the major benefits of working with an MSSP is leveraging their experience. Your organization may be trying to accomplish something for the first time, or improving performance to achieve a new security target or objective. No matter the motivation, a mature MSSP organization will have demonstrated experience in the area, and is poised to help you accomplish a similar project or target, based on organizational size, budgets, and industry.
Shared Responsibility
Once your security goals are understood, your organization and the MSSP need to discuss responsibilities. Define and agree upon who will be responsible for specific tasks and processes. Cover all your bases, including whether you expect your MSSP to be on-call for specific events such as upgrades and incident response efforts.
Define and agree upon SLAs. How quickly do you require acknowledgment and initial response efforts? What is a reasonable amount of time to accomplish specific tasks such as regular patching, emergency patching, break-fixes, and other efforts? What are the implications of missing an SLA? These questions need to be addressed by you and the MSSP prior to onboarding.
Set expectations for communication. How often should your MSSP provide status updates, and how should those updates be provided? A responsibility matrix (RACI) should be developed to ensure all parties involved are aware of the expectations, penalties, and any other applicable terms and conditions. The RACI may even form a schedule on the contract.
Share Your Roadmap
You should make your MSSP aware of any relevant current projects, as well as any short-term and long-term goals. Doing so helps your MSSP understand what you value, and how they can better serve your organization.
Being clear about your current initiatives and future directions will help your MSSP prioritize its efforts and plan for a successful future. Discussing future plans also gives your MSSP the chance to identify ways to optimize efforts going forward. Some MSSPs offer the opportunity for you to participate in focus groups or steering committees, helping to advise them on the needs of your organization. It’s a great way to strengthen your partnership and help ensure that the MSSP is responsive to your needs in the future.
Share Your Experiences
To help your MSSP understand your goals for the future, discuss some of your organization’s past successes and failures. It’s worth highlighting some of your organization’s current and past change management processes. Discuss what worked, what didn’t, and why. Your MSSP may be able to implement improvements to existing or previous processes that better fit your needs.
The same should be done for incident response. Reviewing some of your past breaches and incident reports offers your MSSP an opportunity to highlight areas needing improvement, and better protect your environment in the future. Similarly, your MSSP can offer insights about their previous experiences, including what worked and what didn’t. Cyber incidents can be painful experiences: the silver lining can be the lessons learned after an incident.
Network Integration
The level of network access you provide your MSSP will depend on your goals and your responsibility matrix. Ensure the access you provide your MSSP permits them to successfully meet their requirements, but only enough access to do just that. Overly permissive accounts can have unintended consequences like expanding your overall attack surface. It’s also essential to configure additional alerts or dashboards to monitor your MSSP’s access and network activities.
Be clear about your security policies and how they might affect your MSSP’s ability to access your network (e.g., account lockout policies, VPN requirements, BYOD policies, MDM requirements, geo-location restrictions, etc.). Additionally, be transparent with your network’s configuration to provide your MSSP with knowledge that may be applicable to their responsibilities.
Managing Multiple Service Providers
If you plan to work with more than one MSSP, or MSP (Managed Service Provider) in any capacity, it becomes more crucial that you set clear expectations and boundaries. Setting clear guardrails helps keep everyone on track to accomplish their goals, both individually and collaboratively, without getting in each other’s way. Doing so also minimizes the risk of passing blame and finger-pointing in the event of operational issues.
When it comes to security, specifically, make sure everyone knows their role(s). The teams responsible for incident response should know who to contact regardless of whether it’s someone internal to your organization or another service provider. The same goes for disaster recovery roles, compliance, and all the other components of your business.
An honest, open line of communication between you and your MSPs and MSSPs, with you as the broker or mediator, helps to foster positive interactions between all parties involved and – most importantly – helps drive success for your organization.
Last word: you can’t outsource responsibility
It’s important to remember that when you outsource day-to-day monitoring or management of your security services, you are not outsourcing your responsibility. While collaborating effectively with your MSSP helps manage risk, the onus remains on you to ensure that your customer, personnel, and other operating data is safe and secure.
Conclusion
Working with an MSSP is a great way to improve your organization’s capabilities more quickly and at a scale that would be impractical – if not impossible – to achieve solely in-house. With years of experience and a SOC 2, Type II Security Operations Centre (SOC), ISA Cybersecurity is well-positioned to help your organization with a wide array of managed service offerings. Contact us today to learn more.
